A curious phishing attempt

a trout stuck in a net

I’ve recently switched using the online services of one corporate technology giant for another, and with that came the need for a browser and new search engine. I opted to go all out Microsoft and started using the new and improved Edge browser (based on Chromium) and Bing. It’s not as bad as people make it believe, but still the search results are sub par. More-over, their ads can contain some pretty interesting phising attempts.

As a customer of the Dutch bank bunq and a developer by trade I recently typed in ‘bunq api’ to the search bar, only to be greeted by this result:

As you can see the first three results are actually ads, in the same styling as actual search results. Just like that other tech giant. This is a pretty shitty practice to begin with, but even more worrisome if you imagine the first two results are phishing sites.

When you click on them, you actually go to ‘inmuworld.in’ or whatever site is advertised, but then immediately get redirected to ‘http://bunq.live/’. A one-on-one copy of (the login screens of) ‘https://bunq.app‘. As of this writing the domain is taken down, but that wasn’t too easy as the registrar needed some proof. I sent them the domain, but it was just showing a white page.

Turns out, the redirect is part of a masking attempt. Once you click the ad, you get a random tracking link assigned. This is by design, so Bing can tell the advertiser ‘hey it’s this guy that clicks your ad’. This (presumably) gets checked by the intermediate site (‘inmuworld.in’ in this case) and it assigns another random string that appends to the actual bunq.live URL.

Obviously I don’t know the inner workings of both sites, but when you enter your information once on the ‘bunq.live’ site, you won’t get to see it again, even if you revisit it with the same random string. This makes it way harder for a victim to prove or even understand where they got their login stolen.

Luckily there’s also a feature in the new Edge browser called ‘InPrivate’ so all my cookies are cleared and I can try to run the search again. So I did, with various search terms and various regions (through VPN). It seemed like the phisher targeted Germany and the Netherlands only, with the search terms ‘bunq api’, ‘bunq app’, ‘bunq login’ and ‘bunq’.

With some persuasion the registrar took the site down. Later on I found another site ‘bunq.site’ that got taken down almost immediately. I contacted bunq end of January on this matter but haven’t heard back from them yet.